feat: Upgrade to sqitch 1.5.0

KineticCafe · Jan 9, 2025 · 6e685a9 · 6e685a9
1 parent 428818f
commit 6e685a9
Show file tree

Hide file tree

Showing 12 changed files with 172 additions and 57 deletions.
diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
@@ -0,0 +1,3 @@
+github: halostatue
+buy_me_a_coffee: halostatue
+ko_fi: halostatue
diff --git a/.github/workflows/build-test-image.yml b/.github/workflows/build-test-image.yml
@@ -13,15 +13,17 @@ jobs:
     name: Build Test Image
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        with:
+          persist-credentials: false
 
-      - uses: docker/[email protected]
+      - uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 #v3.8.0
 
       - id: package-versions
         run: echo "data=$(cat package-versions.json)" >> $GITHUB_OUTPUT
 
       - id: docker_build
-        uses: docker/[email protected]
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 #v6.10.0
         with:
           context: .
           push: false

diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
@@ -15,12 +15,16 @@ jobs:
     name: Build and Push to Docker Hub
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        with:
+          persist-credentials: false
         if: github.event_name == 'push'
-      - uses: actions/checkout@v4
-        if: github.event_name == 'workflow_dispatch'
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
         with:
+          persist-credentials: false
           ref: refs/tags/${{ github.event.inputs.tag }}
+        if: github.event_name == 'workflow_dispatch'
 
       - run: |
           echo REPOSITORY="$(
@@ -29,19 +33,19 @@ jobs:
               sed 's/docker-//'
           )" >"${GITHUB_ENV}"
 
-      - uses: docker/[email protected]
+      - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 #v3.3.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - uses: docker/[email protected]
+      - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 #v3.3.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - id: meta
-        uses: docker/[email protected]
+        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 #v5.6.1
         with:
           images: |
             ${{ env.REPOSITORY }}
@@ -56,14 +60,14 @@ jobs:
             type=semver,pattern={{major}}
             type=sha
 
-      - uses: docker/[email protected]
-      - uses: docker/[email protected]
+      - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf #v3.2.0
+      - uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 #v3.8.0
 
       - id: package-versions
         run: echo "data=$(cat package-versions.json)" >> $GITHUB_OUTPUT
 
       - id: docker_build
-        uses: docker/[email protected]
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 #v6.10.0
         with:
           context: .
           push: true
@@ -84,15 +88,17 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
-      - uses: ghalactic/github-release-from-tag@v5
+      - uses: ghalactic/github-release-from-tag@cebdacac0ccd08933b8e7f278f4123723ad978eb #v5.4.0
         with:
           summaryEnabled: false
 
-      - uses: peter-evans/[email protected]
+      - uses: peter-evans/dockerhub-description@e98e4d1628a5f3be2be7c231e50981aee98723ae #v4.0.0
         with:
           repository: kineticcafe/${{ env.REPOSITORY }}
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Image digest
-        run: echo ${{ steps.docker_build.outputs.digest }}
+        run: echo "${DIGEST}"
+        with:
+          DIGEST: ${{ steps.docker_build.outputs.digest }}
diff --git a/.github/workflows/reviewdog.yml b/.github/workflows/reviewdog.yml
@@ -0,0 +1,53 @@
+name: Reviewdog
+
+on:
+  pull_request:
+
+jobs:
+  typos:
+    if: ${{ github.event.action != 'closed' }}
+    name: Typos
+    runs-on: ubuntu-22.04
+
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        with:
+          persist-credentials: false
+
+      - uses: reviewdog/action-typos@2e6b919585397817d4fc55f0ee1dc771530b1089 #v1.13.0
+
+  actionlint:
+    if: ${{ github.event.action != 'closed' }}
+    name: Actionlint
+    runs-on: ubuntu-22.04
+
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        with:
+          persist-credentials: false
+
+      - uses: reviewdog/action-actionlint@534eb894142bcf31616e5436cbe4214641c58101 #v1.61.0
+
+  hadolint:
+    if: ${{ github.event.action != 'closed' }}
+    name: Actionlint
+    runs-on: ubuntu-22.04
+
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        with:
+          persist-credentials: false
+
+      - uses: reviewdog/action-hadolint@a588cf93c77060a2836b260c6f0860dc102e8d83 #v1.48.2
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,31 @@
+name: GitHub Actions Security Analysis with zizmor
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+
+jobs:
+  zizmor:
+    name: zizmor latest via Cargo
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      # required for workflows in private repositories
+      contents: read
+      actions: read
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - uses: actions-rust-lang/setup-rust-toolchain@11df97af8e8102fd60b60a77dfbf58d40cd843b8 # v1.10.1
+
+      - run: cargo install --locked zizmor
+      - run: zizmor --persona pedantic --format sarif . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
+        with:
+          sarif_file: results.sarif
+          category: zizmor
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
@@ -0,0 +1,5 @@
+rules:
+  cache-poisoning:
+    ignore:
+      - build-test-image.yml:26
+      - publish-release.yml:3
diff --git a/Dockerfile b/Dockerfile
@@ -10,6 +10,7 @@ ARG SQITCH_VERSION
 ARG __DOCKERFILE_VERSION__
 ARG __DOCKERFILE_DATE__
 
+# hadolint ignore=DL3018,DL3019
 RUN <<SETUP
 set -eux
 

diff --git a/Justfile b/Justfile
@@ -236,17 +236,18 @@ generate_pgtap_dockerfile:
         )
 
         if ! command -v "${wanted_clang}" >/dev/null 2>/dev/null; then
-          version="${wanted_clang/clang-}"
+          version=$(echo "${wanted_clang}" | sed 's/clang-//')
           apk add clang"${version}" llvm"${version}"
         fi
 
         mkdir -p /opt/pgtap/#{name}
         SETUP
 
+        WORKDIR /opt/pgtap-$PGTAP_VERSION
+
         RUN <<BUILD
         set -eux
 
-        cd /opt/pgtap-$PGTAP_VERSION
         make
         make install
         mv sql/pgtap.sql sql/uninstall_pgtap.sql /opt/pgtap/#{name}
@@ -262,6 +263,8 @@ generate_pgtap_dockerfile:
     dockerfile = <<~DOCKERFILE
       # syntax=docker/dockerfile:1
 
+      # hadolint global ignore=DL3018,DL3019,DL4006
+
       #{blocks.join("\n\n")}
 
       FROM alpine:{{ alpine_version }} AS package-pgtap

diff --git a/README.md b/README.md
@@ -1,23 +1,23 @@
 # [ghcr.io/]kineticcafe/sqitch-pgtap: Sqitch/PostgreSQL & pgTAP in Docker
 
-This is a simple Docker container that contains [sqitch][], [pgTAP][], and
-[`pg_prove`][] for use with PostgreSQL. It has been created so that it's easier
-to work with `sqitch` and `pg_prove`/`pgTAP` without going through the effort of
-installing them on various systems.
+This is a simple Docker container that contains [sqitch][sqitch],
+[pgTAP][pgTAP], and [`pg_prove`][`pg_prove`] for use with PostgreSQL. It has
+been created so that it's easier to work with `sqitch` and `pg_prove`/`pgTAP`
+without going through the effort of installing them on various systems.
 
 The image is based on Alpine 3.19 and does not include a PostgreSQL server;
 instead, it is expected that all values will be provided through environment
 variables or on the command-line.
 
-Unless otherwise noted, pgTAP will be installed from [PGXN][].
+Unless otherwise noted, pgTAP will be installed from [PGXN][PGXN].
 
 This version of the container includes:
 
 - pgTAP 1.3.3 (from theory/pgtap@02bc769c92c48d01e4c2f76db6523287017b45a9)
-  - Full support for PostgreSQL 12, 13, 14, 15, and 16
-  - Best effort support for end of life PostgreSQL versions 9.6, 10, and 11
-- pg_prove 3.36
-- Sqitch 1.4.1
+  - Full support for PostgreSQL 12, 13, 14, 15, 16, and 17
+  - Best effort support for end of life PostgreSQL versions 9.6, 10, 11, and 12
+- pg\_prove 3.36
+- Sqitch 1.5.0
 
 The version of pgTAP is installed and uninstalled as needed; unit test files
 _**must not**_ include `CREATE EXTENSION pgtap`.
@@ -36,14 +36,14 @@ it manages environment variable configuration for each run. The
 
 ```console
 $ IMAGE=kineticcafe/sqitch-pgtap:latest ./run version
-[gchr.io/]kineticcafe/sqitch-pgtap:2.7.0
+[gchr.io/]kineticcafe/sqitch-pgtap:2.10.0
 
-  alpine 3.19
-  sqitch (App::Sqitch) v1.4.1
+  alpine 3.21
+  sqitch (App::Sqitch) v1.5.0
   pgtap 1.3.3
   pg_prove 3.36
 
-Last updated 2024-04-22
+Last updated 2025-01-07
 ```
 
 ### Installing `kineticcafe-sqitch-pgtap`